Examining the body of law Created by the U.S. Government

U.S. Federal Law

Subscribe to U.S. Federal Law: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get U.S. Federal Law: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

U.S. Federal Law Authors: Jason Bloomberg, marlin xp, Maureen O'Gara

Related Topics: CMS Journal, U.S. Federal Law

CMS: Article

Compliance Essentials: Standard Methods of Fulfilling Requirements

Improve information security and comply with regulatory requirements

From the health care industry to the financial industry, the influx of network security incidents has impacted any organization that employs the Internet to expedite business processes. As a result, anyone enlisting the services of these companies is susceptible to identity theft or fraud. Responding to this issue, the U.S. government has amplified its legislation dealing with infrastructure security through bills including Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA), the U.S. Government Information Security Reform Act (GISRA), the Gramm-Leach Bliley Act (GLBA), and the Children's Internet Protection Act (CIPA).

These laws require organizations in their respective industries to ensure the safe transfer and storage of personal information. Through strict enforcement of compliance regulations, including tough penalties for violators, the government has dramatically influenced how companies contend with network security issues. In this article, readers will learn the requirements and legal ramifications for each act and gain practical and strategic guidance for achieving compliance.

A reliable indicator of when a particular practice has reached some degree of maturity, or at least adolescence, is the moment when the federal government begins to regulate it. Perhaps an even greater degree of accuracy for discerning that point is when regulations are enforced. An illustrative example is antitrust legislation, which began in 1890 with the Sherman Antitrust Act, but was not enforceable until the passing of the Clayton Act in 1914. Judging by these criteria and allowing for the slightly speedier movement of the U.S. government in the Internet age, information security is on the cusp of its maturity. A variety of pieces of legislation have reached, or will soon be reaching, their compliance deadlines.

The Legislation
After the headier days of the late 1990s, the federal government took steps to curb irregularities and risks with a series of regulations aimed at particular industries or practices. Public companies with a market capitalization of more than $75 million are perhaps most affected by the SOX Act. This act, among other things, requires checks on the integrity of information involved in the business processes that feed into the enterprise's balance sheet. Certain SOX compliance deadlines have already passed, whereas others are due this year and next.

Two notable regulations are already in full effect. In the health care sector, HIPAA requires a variety of measures designed to safeguard the privacy of patients while facilitating the move to electronically stored (i.e., "portable") medical records.

The GLBA has provisions already in effect that specify how financial institutions can use and share their clients' financial information with other organizations.

The U.S. federal government has not left itself out. The GISRA, which expired in 2002, has had many of its provisions made permanent in the Federal Information Security Management Act (FISMA). Since the Bush administration ordered that funding for IT projects be tied to security compliance, FISMA has become even more critical for both federal agencies and the vendors who sell to them. Important elements of FISMA include the following:

  • The National Institute of Standards and Technology (NIST), collaborating with federal agencies, develops mandatory IT security standards and guidelines for nonclassified federal IT systems.
  • Agencies develop system configuration requirements and provide ongoing monitoring and maintenance.
  • Agencies test security controls at least annually.
  • Agency CIOs designate a senior agency information security officer to ensure FISMA compliance.
  • Agencies provide an inventory of their IT assets.
Other regulations are tangentially related to the "big four" noted previously. The CIPA is a federal law requiring libraries and schools to take measures to block minors' Internet access to obscene materials, inappropriate e-mail, adult chat rooms, or "hacking."

California has passed a law, known variously as Senate Bill (SB) 1386 or the California Database Protection Act. This requires companies doing business with customers in California to notify them if they suspect that any of their customers' personal information has been accessed by an unauthorized party. Similar legislation has been proposed in the U.S. Congress, although it has not been passed yet.

Finally, the private sector has joined in, with Visa and MasterCard regulating both their merchants and service providers. Visa's initiative is called the Cardholder Information Security Program (CISP) and MasterCard's is called the Site Data Protection (SDP) program. Both programs require that all merchants and service providers are assessed for key information security best practices and, depending on the size of the merchant, evaluate systems involved in the handling or processing of cardholder information for security vulnerabilities.

Key Trends
Although it may seem that the factors driving the passage of these laws are obvious, it is worth specifying which elements within the broad categories of information security and privacy are tied to each specific piece of legislation. Apart from self-evident issues, the regulations address concerns about the security of personally identifiable information (PII) or accountability for IT systems that process sensitive material. This is in addition to monitoring and maintaining them.

HIPAA, GLBA, and California SB 1386 can be placed in the former category. The prevalence of identity theft has called attention to the security of databases of financial or other personal information maintained by a variety of institutions. This is particularly true when those databases are either accessible from the Internet or, as is more common, are connected to systems (e.g., Web servers) that are.

The second important trend that is driving tighter and more detailed regulations is accountability for IT systems and the processes that rely on them. The past decade saw an IT expansion the likes of which may never be seen again. In addition, the sheer quantities of IT equipment that were purchased provided a serious challenge for organizations seeking to track their assets. Once critical data and processes began to be stored or executed on these assets, the seeds were sown for both information security vulnerabilities and the concomitant legislation.

This has led to specific provisions in several of the regulations described previously. In the case of SOX, public companies' chief financial officers and chief executives become personally responsible for the tabulated results of electronic business processes. This made the integrity and security of the systems that enable those processes critical in ways that they were not before. Human auditors can no longer provide adequate supervision of certain business processes due to the volume of information. This, automated audit mechanisms, highly specific to the related business process, are being developed to provide the oversight required by law.

For FISMA, in addition to the aforementioned required IT asset inventories, the certification and accreditation of systems also feeds into a report card issued by a House subcommittee. FISMA, however, is more directly a response to the 1.4 million documented cyber security incidents involving federal agencies in 2003. This is a statistic from the Federal Computer Incident Response Center.

Basic Compliance Strategies
In general, the following measures will address the basic compliance requirements for information security regulations:

  • Full inventory of IT systems involved in the processing, storage, or transmission of sensitive data
  • Information security policy and a corresponding awareness and training program
  • Privacy policy
  • Computer security incident response plan
Beyond these elementary steps, organizations must determine to which regulations they are subject. Although this may seem entirely obvious (i.e., federal agencies are responsible for complying with FISMA, and public companies must adhere to the requirements of SOX), the applicability of some of the regulations discussed in this article is slightly trickier to determine.

For example, any organization that does business transactions with California customers and stores their data on an IT system is subject to SB 1386, even if that organization is not located in California. In addition, companies that have their own health or dental plans and store employee medical information may be subject to certain provisions of HIPAA. Finally, companies that do not consider themselves financial institutions may need to be compliant with GLBA if they collect, store, and share financial information about their customers with their business partners.

Before moving on to specific legislation, it is critical to define the terms "security" and "privacy," as they are employed here. In the information security world, it is often said that it is possible to secure information without making it private. However, it is not possible to keep information private without securing it. Information security is generally defined as the ability to control access to information and protect it from accidental or intentional disclosure to unauthorized persons and from alteration, destruction, or loss. Privacy is controlling who is authorized to access the secured information or the right of individuals to keep information about themselves from being disclosed, depending on the context.

Sarbanes-Oxley 101
The bulk of current compliance efforts at U.S. corporations are likely directed toward SOX, which became U.S. law in July 2002 and section by section has become effective. A major deadline passed as recently as June 15, 2004, when Section 404 became effective. Section 404 is perhaps the most relevant to information security, as it refers to management assessment of internal controls for financial processes.

In tactical terms, this means that financial reporting systems must have controls that follow internationally recognized auditing frameworks, such as the one provided by the Commission of Sponsoring Organizations of the Treadway Commission Internal Control (COSO). Specific to IT and information security, standards such as Control Objectives for Information and Related Technology (CObIT) and ISO 17799 have been recommended for compliance by the SEC in clarification rulings. It is critical to note that "financial reporting systems" refers to more than simply spreadsheets and databases, and includes informal reporting channels such as e-mail. Reporting systems can potentially include policies, plans, processes, systems, and procedures of all manners at every level of the organization.

Although other types of process development may constitute the majority of the work in a typical SOX compliance effort, information security concerns must pervade any successful effort. Section 404 requires the implementation of controls that protect and monitor the integrity of financial reporting processes. It also requires reporting on the efficacy of those controls. In addition, Sections 409 and 802 have serious integrity-related implications for material changes (to the company's financial conditions) and audit records, respectively.

From an IT perspective, SOX compliance can present a confusing situation at best. Many CIOs have viewed SOX as an audit or financial issue, although this interpretation has proven incorrect. The primary goal of SOX is to ensure the integrity of financial reporting systems. Nearly all of these use IT and therefore must be in the scope of any successful compliance project.

IT compliance efforts have generally taken a five-step approach for each relevant system:

  • Determine how the system will be operated and configured once it is in compliance, including processes and controls.
  • Assess the current state of the system, performing a gap analysis relative to the compliant state.
  • Implement any process improvements or new controls, and remedy any identified vulnerabilities.
  • Monitor the system to ensure that it is in line with the compliance requirements (i.e., with vulnerability scanning, intrusion detection, or log monitoring).
  • Report on the compliance status in a format that is intelligible to the audit staff or other management.
Information Security and HIPAA
Compliance with HIPAA, which most large health care providers should have achieved already, is a complex proposition. For the vast majority of enterprises not in the health care sector, HIPAA will only be relevant to any medical information stored about employees or their spouses on the enterprise's IT systems (see sidebars). The first step an organization should take is to identify and review all policies relating to physical or electronic access to the relevant data (i.e., medical records) and the protection of that data. The next step in the information-gathering phase is to create questionnaires that address all aspects of data storage, transmission, protection, confidentiality, and privacy for the relevant data.

The second step of a compliance effort is generally a gap analysis, which compares the current state of data security and privacy with "best practices." HIPAA itself has no clearly defined, technology-related or risk-related standards, so a due diligence approach based on best practices is required.

The third step of the plan is generally a "compliance roadmap," which describes how the organization plans to close critical gaps in security and privacy. The actions should be categorized as technology implementations, policy changes, or auditing procedures.

This remediation planning should also encompass how the organization will maintain compliance, which could include any or all of the following:

  • Auditing
  • Intrusion detection
  • Enterprise security management
  • Privacy "opt-in/opt-out"
  • Monitoring plan
In any HIPAA assessment, it is critical to note that health care organizations are affected by both HIPAA and state laws, and that privacy regulations such as HIPAA do not preempt state law or other federal law. Any state law or regulation that is contrary or more stringent than the corresponding HIPAA rule retains primacy.

HIPAA has no proscribed implementation measures for either its security or privacy rules, so implementations will vary according to the type and size of the covered organization. Just as with the other regulations mentioned in this article, best practices need to be implemented and followed to achieve compliance (see Figure 1).

Options for GLBA
Most companies should have been in compliance with GLBA when the deadlines passed in July of 2001 and in May of 2003. However, newer companies or those just starting to electronically store personal information about their clients may still need to take steps to comply. Similar to many of the other regulations, compliance with GLBA can be achieved through information security best practices in general and a few privacy initiatives specifically.

The specific compliance issues brought up by GLBA pertain largely to handling customer information collected via the Web or other sources and the sharing of that information. Basic security measures for Web sites that collect information from customers should be applied, including SSL encryption for transmission, cookie encryption, and account lockouts. In addition, GLBA specifies that customers must be asked to explicitly "opt-in" if the enterprise is to be able to share customer information with other institutions (see Table 1).

Other Regulations
FISMA compliance efforts have largely centered on key metrics, such as the percentage of IT systems that have been certified and accredited or the percentage of significant new IT investments that integrate security into their lifecycles. Other goals are process-related, requiring each agency, for example, to have a centralized set of procedures to identify, track, and correct security vulnerabilities. To coordinate these processes, many agencies have hired full-time chief information security officers.

CIPA compliance is a significantly easier proposition. Most commercial content filtering software meets the requirements of the legislation, as it has become an essential selling point. Certain configuration changes to PCs in libraries and schools are also helpful, such as disabling administrative access and certain services.

In the private sector, California SB 1386 has simpler requirements. The key step for any enterprise with California clients is to develop and document an incident response plan specifying notification procedures. If such a plan is in place, the organization may follow its own process, rather than the onerous procedures prescribed by the law itself. Protecting systems that store, process, or transmit personal information about organizations' clients is sound business practice in any case, and is the only other general rule to comply with this California statute.

Much to the relief of many organizations and executives, the stiff penalties mentioned in much of the legislation have not yet been applied systematically to violators. This relief may be short-lived, as both SOX and HIPAA hold out the threat of prison time for executives who sign off on financial results of questionable provenance. The SEC, which enforces SOX, will likely not pursue vigorous enforcement until it finishes with the Enron and WorldCom cases (and the other corporations), who inspired the passage of SOX in the first place. Once each provision of the law has come into effect and pending clarification decisions are rendered, the SEC should enforce the law pursuant to those decisions.

By contrast, the FTC, which enforces GLBA, has already fined companies for violating the privacy of their customers. The most famous example of this was Eli Lilly, which mistakenly did not obfuscate the e-mail addresses of Prozac patients on a targeted bulk e-mail.

Another federal agency, Health and Human Services (HHS), enforces HIPAA. Security provisions are enforced via the Centers for Medicare and Medicaid Services (CMS), and the HHS Office for Civil Rights enforces the privacy component of the act. CMS is currently assembling an enforcement staff, writing a regulation that outlines the enforcement program, implementing the enforcement system, and beginning to accept complaints. According to CMS, it intends to "provide education and technical assistance to covered entities to help them achieve compliance, rather than seeking out noncompliant entities and imposing fines on them." If a covered organization is identified as noncompliant, CMS plans to work with it to achieve compliance and would only impose civil monetary penalties if these efforts fail.

FISMA is enforced by a combination of government entities. The Office of Management and Budget develops the Federal Computer Security Report Card for each agency using agencies' quarterly-updated plans of action and milestones (POA&M) and IT security performance metrics. Inspectors general and the General Services Administration (GSA) also play a role. Additionally, IT security is a crucial component of a "green" rating on the President's Management Agenda's quarterly E-Government Scorecard.

CIPA is enforced by the FCC, which withholds the discounts offered by the "E-Rate" program to schools and libraries that do not certify their compliance.

The enforcement of other legislation, such as California SB 1386, is more of a question mark. In theory, a corporation subject to a hacking incident would be in violation of the law if it (a) had California customers and (b) could not prove that the database containing the customers' information was not inappropriately accessed.

It remains to be seen how this law will be enforced in practice.

Although it may be quite easy to become frustrated by the alphabet soup of recent information security regulations, everyone from executives to IT personnel can take solace in the fact that few of the regulations specify any practice that is not already part of the information security canon. "Best practices" is an overused term in the private sector but is nearly ubiquitous in these regulations. By taking a sensible, standards-based approach, organizations can both improve their information security and comply with the vast majority of regulatory requirements. After that, the targeted compliance measures for what the regulations that the organization is covered by become much more manageable.

Additional Resources

  • Verisign: www.verisign.com/
  • American Library Association: Child Internet Protection Act: www.ala.org/cipa/
  • United States Computer Emergency Readiness Team: www.us-cert.gov/federal/

    Basic HIPAA Assessment Elements

  • Administrative security
  • Policies
  • Procedures
  • Physical security
  • Technical security
  • Privacy
  • Coding practices

    HIPAA Technologies
    In addition to process solutions, a wide variety of technologies can aid in a HIPAA compliance effort:

  • Firewalls
  • VPNs
  • Auditing tools
  • Password policy enforcement tools
  • Intrusion detection tools
  • Encryption tools
  • PKI
  • Digital signatures
  • Authentication technologies
  • Other access control devices
  • Comments (0)

    Share your thoughts on this story.

    Add your comment
    You must be signed in to add a comment. Sign-in | Register

    In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.